If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Zonealarm exploits?

I thought this would be nice to show all the people who have Zonealarm and think they are the shizzzznit because they have it Trojans can block ZoneAlarm by setting a Mutex in memory

ZoneAlarm and ZoneAlarm Pro can be stopped from loading by creating a memory-resident Mutex (using a call to the CreateMutex API). Uninstalling\reinstalling ZoneAlarm in a different path has no effect.
The impact of this vulnerability is that a Trojan running on a victim's machine can prevent ZoneAlarm from loading, and thus leave the victim open for attack.

Exploit:
A Trojan can easily set this Mutex ("Zone Alarm Mutex") with one simple call to the CreateMutex API (see msdn.microsoft.com for more information on Mutexes). ZoneAlarm and ZoneAlarm Pro are then prevented from loading as long as the Trojan is alive. If ZoneAlarm is running, all the Trojan has to do is terminate the processes of zonealarm.exe, vsmon.exe and minilog.exe first before creating the Mutex. Despite being services, vsmon.exe and minilog.exe can both be killed by any program by setting its local process token privileges to SeDebugPrivilege, giving it the power to kill any process/service.

A harmless, simple, working executable to demonstrate the vulnerability, is available at:http://www.diamondcs.com.au/alerts/zonemutx.exe (16kb).
While the demo program is running, you will not be able to load ZoneAlarm or ZoneAlarm Pro, and if it finds that ZoneAlarm\ZoneAlarm Pro is running, it will terminate the ZoneAlarm processes and services first using SeDebugPrivilege before stealing the ZoneAlarm Mutex. The demo also opens an echo server socket to listen on TCP 7, allowing you to test socket connectivity/data transfer (try telnetting to 127.0.0.1 on port 7 and saying hello).

exploit 2
This Firewall has been found to contain a serious security hole that would allow a remote attacker to TCP and UDP scan the entire host's port range without detection. This is done by specifying a special port number in the source port part of the TCP or UDP packet.

Immune systems:
ZoneAlarm version 2.6 and up

If one uses port 67 as the source ports of a TCP or UDP scan, ZoneAlarm will let the packet through and will not notify the user. This means, that one can TCP or UDP port scan a ZoneAlarm protected computer as if there were no firewall there IF one uses port 67 as the source port on the packets.

Exploit:
UDP Scan:
You can use NMap to port scan the host with the following command line:
nmap -g67 -P0 -p130-140 -sU 192.168.128.88
(Notice the -g67 which specifies source port).

TCP Scan:
You can use NMap to port scan the host with the following command line:
nmap -g67 -P0 -p130-140 -sS 192.168.128.88
(Notice the -g67 specifies source port).
contains a feature called MailSafe. This is an email attachment protection for the home and cooperate users, which automatically renames dangerous extensions to a harmless one (.zl*). A security vulnerability in the product allows attackers to bypass this protection by attaching a file with a very long name.Vulnerable systems:
ZoneAlarm Pro version 2.6.84 and prior

MailSafe is a feature of ZoneAlarm Pro. MailSafe identifies potentially harmful files (for example: *.exe, *.com, *.reg, *.vbs or others that can be added in the configuration screen) in e-mail attachments and renames their extension to *.zl* in addition to showing an alarm box to inform the user about this.

The problem with this feature is that it does not work with long file names, for example:
<<zonetestzonetestzonetestzonetestzonetestzonetestzonetest zonetestzonetestzonetestzonetestzonetestzonetestzonetest zonetestzonetestzonetestzonetestzonetestzonetestzonetest zonetestzonetestzonetestzonetestzonetestzonetestzonetestzonetest.com>> (the same goes for other file types as .exe .reg or .vbs)

You think your safe with zonealarm think again hahahaahahahahahahahaha

I have found that most people that run zone alarm are also running at least 1 virus scan. Since a trojan would (unless it is new and hasn't had a patch made yet) set of the virus scan, this isn't a problem. The scanning of any port on the machine as long as the source port is 67 DOES present a small issue. THAT needs to be fixed, along with the unsupported long filenames (Does anyone else think that long filenames are a bad idea, considering how many security issues have came up dealing with them?)....anyway...good find....I bet this will be on CNN tomorrow..

but here goes: Go to www.hackbusters.net and download Outbound. This lil' app checks to see if your firewall is weak as far as outbound apps go.

Keep in mind that the worst trojans,viri,bugs are yet to come. So someone is going to realize that IE can call on any app on your system to do it's bidding (i.e.excel,acrobat,etc.etc.) With that knowledge they write a trojan that can hook into IE through these dll's and could completely compromise you system without you knowing it.

Unless, of course, you run the Sygate personal firewall.

Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
- Samuel Johnson

Yup Korp Death is right he did cover it the other day. At the time i was running Zonealarm and i thought it was a good firewall anyway i checked out sygates site and got rid of zonealarm for seagate and won't go back either. If your looking for a great firewall that you can test right on there site go with sygate www.sygate.com. Thanks again Korp Death!!!

Originally posted by dinoman Quick question,
How the hell do u get rid of Zone? A number of times I deleted the program but some of my programs would not access online untill I reloaded Zone.

Yea, getting rid of ZoneAlarm is a pain sometimes. When ZoneAlarm installs, it places a few files in either the c:\windows or the c:\windows\system directories. The first two letters of those files that are placed in those directories are vs******.***. Do a search for those files in those two directories, then check the properties of each of those files. Remove the files that belong to ZoneAlarm, then everything should work just fine for you.